@contrast/assess 1.27.2 → 1.28.1

package/lib/dataflow/propagation/install/url/url.js

@@ -15,7 +15,6 @@
 
 'use strict';
 
-const { inspect } = require('@contrast/common');
 const { patchType } = require('../../common');
 
 module.exports = function(core) {
@@ -24,6 +23,7 @@ module.exports = function(core) {
     patcher,
     depHooks,
     assess: {
+      inspect, // todo: remove
       eventFactory: { createPropagationEvent },
       dataflow: { tracker }
     }

package/lib/dataflow/sinks/install/child-process.js

@@ -19,7 +19,6 @@ const {
   join,
   Rule: { CMD_INJECTION: ruleId },
   isString,
-  inspect,
 } = require('@contrast/common');
 const { InstrumentationType: { RULE } } = require('../../../constants');
 const { patchType } = require('../common');
@@ -35,6 +34,7 @@ module.exports = function(core) {
     depHooks,
     patcher,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {

package/lib/dataflow/sinks/install/express/reflected-xss.js

@@ -15,7 +15,6 @@
 
 'use strict';
 
-const util = require('util');
 const {
   Rule: { REFLECTED_XSS: ruleId },
   DataflowTag: {
@@ -52,14 +51,13 @@ module.exports = function(core) {
       eventFactory: { createSinkEvent },
       dataflow: {
         tracker,
-        sinks: { isVulnerable, reportFindings, reportSafePositive }
+        sinks: { isVulnerable, reportFindings, reportSafePositive, isSafeContentType }
       },
       ruleScopes,
     },
   } = core;
 
   const reflectedXss = core.assess.dataflow.sinks.express.reflectedXss = {};
-  const inspect = patcher.unwrap(util.inspect);
 
   const safeTags = [
     `excluded:${ruleId}`,
@@ -81,7 +79,11 @@ module.exports = function(core) {
           name,
           patchType,
           around: (next, data) => {
-            if (!getSourceContext(RULE, ruleId)) return next();
+            const sourceContext = getSourceContext(RULE, ruleId);
+            if (!sourceContext) return next();
+
+            const { contentType } = sourceContext.responseData;
+            if (contentType && isSafeContentType(contentType)) return next();
 
             const [str] = data.args;
 
@@ -96,7 +98,7 @@ module.exports = function(core) {
                   tracked: true,
                   value: strInfo.value,
                 }],
-                context: `response.${method}(${inspect(strInfo.value)})`,
+                context: `response.${method}('${strInfo.value}')`,
                 history: [strInfo],
                 name,
                 moduleName: 'express',

package/lib/dataflow/sinks/install/express/unvalidated-redirect.js

@@ -15,7 +15,6 @@
 
 'use strict';
 
-const util = require('util');
 const {
   Rule: { UNVALIDATED_REDIRECT: ruleId },
   DataflowTag: {
@@ -46,6 +45,7 @@ module.exports = function(core) {
     patcher,
     config,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
@@ -56,7 +56,6 @@ module.exports = function(core) {
   } = core;
 
   const unvalidatedRedirect = core.assess.dataflow.sinks.express.unvalidatedRedirect = {};
-  const inspect = patcher.unwrap(util.inspect);
 
   const safeTags = [
     `excluded:${ruleId}`,

package/lib/dataflow/sinks/install/fastify/unvalidated-redirect.js

@@ -15,7 +15,6 @@
 
 'use strict';
 
-const util = require('util');
 const {
   Rule: { UNVALIDATED_REDIRECT: ruleId },
   DataflowTag: {
@@ -65,6 +64,7 @@ module.exports = function(core) {
     depHooks,
     patcher,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
@@ -76,8 +76,6 @@ module.exports = function(core) {
   const unvalidatedRedirect =
     (core.assess.dataflow.sinks.fastify.unvalidatedRedirect = {});
 
-  const inspect = patcher.unwrap(util.inspect);
-
   const safeTags = [
     `excluded:${ruleId}`,
     CUSTOM_ENCODED,

package/lib/dataflow/sinks/install/fs.js

@@ -25,7 +25,6 @@ const {
   },
   FS_METHODS,
   Rule: { PATH_TRAVERSAL: ruleId },
-  inspect,
   isString,
   join,
 } = require('@contrast/common');
@@ -36,6 +35,7 @@ module.exports = function(core) {
     depHooks,
     patcher,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {

package/lib/dataflow/sinks/install/function.js

@@ -17,7 +17,6 @@
 
 const {
   isString,
-  inspect,
   join,
   DataflowTag: {
     UNTRUSTED,
@@ -47,6 +46,7 @@ module.exports = function (core) {
     logger,
     patcher,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {

package/lib/dataflow/sinks/install/hapi/unvalidated-redirect.js

@@ -15,7 +15,6 @@
 
 'use strict';
 
-const util = require('util');
 const {
   Rule: { UNVALIDATED_REDIRECT: ruleId },
   DataflowTag: {
@@ -46,6 +45,7 @@ module.exports = function(core) {
     patcher,
     config,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
@@ -56,7 +56,6 @@ module.exports = function(core) {
   } = core;
 
   const unvalidatedRedirect = core.assess.dataflow.sinks.hapi.unvalidatedRedirect = {};
-  const inspect = patcher.unwrap(util.inspect);
 
   const safeTags = [
     `excluded:${ruleId}`,

package/lib/dataflow/sinks/install/http/request.js

@@ -17,7 +17,6 @@
 
 const Url = require('url');
 const {
-  inspect,
   isString,
   DataflowTag: {
     UNTRUSTED,
@@ -46,6 +45,7 @@ module.exports = function(core) {
     depHooks,
     patcher,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
@@ -104,11 +104,12 @@ module.exports = function(core) {
           pre(data) {
             if (!getSourceContext(RULE, ruleId)) return;
 
-            const [req] = data.args;
-            if (!req) return;
+            // url <string> |<URL>
+            const [urlArg] = data.args;
+            if (!urlArg) return;
 
             ['host', 'hostname', 'localAddress', 'protocol'].forEach((key) => {
-              const value = getValueFromReq(req, key);
+              const value = getValueFromReq(urlArg, key);
               if (!value) return;
 
               const strInfo = tracker.getData(value);
@@ -116,7 +117,7 @@ module.exports = function(core) {
 
               if (containsTrustedLib(strInfo.stack)) return;
 
-              const arg0 = isString(req) ? req : inspect(req);
+              const arg0 = isString(urlArg) ? urlArg : inspect(urlArg);
               const idx = arg0.indexOf(value);
               const urlTags = createAppendTags({}, strInfo.tags, idx);
 

package/lib/dataflow/sinks/install/koa/unvalidated-redirect.js

@@ -15,7 +15,6 @@
 
 'use strict';
 
-const util = require('util');
 const {
   DataflowTag: {
     UNTRUSTED,
@@ -47,6 +46,7 @@ module.exports = function(core) {
     patcher,
     config,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
@@ -56,7 +56,7 @@ module.exports = function(core) {
     },
   } = core;
 
-  const inspect = patcher.unwrap(util.inspect);
+
   const safeTags = [
     `excluded:${ruleId}`,
     CUSTOM_ENCODED,

package/lib/dataflow/sinks/install/libxmljs.js

@@ -23,7 +23,6 @@ const {
     ALPHANUM_SPACE_HYPHEN,
     LIMITED_CHARS,
   },
-  inspect
 } = require('@contrast/common');
 const { InstrumentationType: { RULE } } = require('../../../constants');
 const { patchType } = require('../common');
@@ -48,6 +47,7 @@ module.exports = function(core) {
     depHooks,
     patcher,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {

package/lib/dataflow/sinks/install/marsdb.js

@@ -14,7 +14,6 @@
  */
 'use strict';
 
-const util = require('util');
 const {
   traverseValues,
   Rule: { NOSQL_INJECTION_MONGO: ruleId },
@@ -51,6 +50,7 @@ module.exports = function (core) {
     logger,
     patcher,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
@@ -61,7 +61,6 @@ module.exports = function (core) {
   } = core;
 
   const instr = core.assess.dataflow.sinks.marsdb = {};
-  const inspect = patcher.unwrap(util.inspect);
 
   function getVulnerabilityInfo(query) {
     let vulnInfo = null;

package/lib/dataflow/sinks/install/mongodb.js

@@ -28,7 +28,6 @@ const {
   isNonEmptyObject,
   traverseValues,
   isString,
-  inspect
 } = require('@contrast/common');
 const { InstrumentationType: { RULE } } = require('../../../constants');
 const utils = require('../../tag-utils');
@@ -83,6 +82,7 @@ module.exports = function (core) {
     logger,
     patcher,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
@@ -236,6 +236,49 @@ module.exports = function (core) {
     return { vulnInfo, reportSafe };
   };
 
+  /**
+   * Truncate `arg` values for reporting and get the adjusted `tags`.
+   * If an argument isn't directly relevant to the vulnerability, we report it by its type.
+   * If it is relevant, we truncate the value if it is an object or array, but not if it is a string.
+   * Ex1: Array truncations will look like `[...'<key>':'<value>'...]`
+   * Ex2: Object truncations will look like `{...'<key>':'<value>'...}`
+   * In the above examples, `key` will be the last value in the path array, and `value` should be the
+   * containing the injection. So whether the argument is a string or an object, the actual string value
+   * leading to the injection will not be truncated.
+   */
+  function getAdjustedFields(origArgs, vulnInfo, vulnArgIdx) {
+    const { path, strInfo } = vulnInfo;
+    const coercedArgs = [];
+    let prefix = '';
+    let suffix = '';
+
+    if (path) {
+      let openChar, closeChar;
+      if (Array.isArray(origArgs[vulnArgIdx])) {
+        openChar = '[';
+        closeChar = ']';
+      } else {
+        openChar = '{';
+        closeChar = '}';
+      }
+      prefix = `${openChar}...'${path[path.length - 1]}':'`;
+      suffix = `'...${closeChar}`;
+    }
+
+    for (let i = 0; i < origArgs.length; i++) {
+      if (i === vulnArgIdx) {
+        coercedArgs.push({ value: `${prefix}${strInfo.value}${suffix}`, tracked: true });
+      } else {
+        coercedArgs.push({ value: origArgs[i]?.constructor?.name ?? typeof origArgs[i], tracked: false });
+      }
+    }
+
+    return {
+      args: coercedArgs,
+      tags: prefix ? utils.createAppendTags(null, strInfo.tags, prefix.length) : strInfo.tags,
+    };
+  }
+
   function createAroundHook(entity, name, method, getInfoMethod, vulnerableArgIdxs) {
     const argsIdxsToCheck = vulnerableArgIdxs || [0];
     return function (next, data) {
@@ -290,19 +333,13 @@ module.exports = function (core) {
             : next();
         }
 
-        const { path, strInfo } = vulnInfo;
         const objName = getObjectName(obj, entity);
-        const args = origArgs.map((arg, idx) => ({
-          value: isString(arg) ? arg : inspect(arg, { depth: 4 }),
-          tracked: idx === vulnArgIdx,
-        }));
-
-        const tags = path ? utils.createAdjustedQueryTags(path, strInfo.tags, strInfo.value, args[vulnArgIdx].value) : strInfo?.tags;
+        const { args, tags } = getAdjustedFields(origArgs, vulnInfo, vulnArgIdx);
         const resultVal = args[args.length - 1].value.startsWith('[Function') ? '' : 'Promise';
         const sinkEvent = createSinkEvent({
           args,
           context: `${objName}.${method}(${args.map((a, idx) => isString(origArgs[idx]) ? `'${a.value}'` : a.value)})`,
-          history: [strInfo],
+          history: [vulnInfo.strInfo],
           object: {
             tracked: false,
             value: `mongodb.${entity}`,

package/lib/dataflow/sinks/install/mysql.js

@@ -28,7 +28,6 @@ const {
     UNTRUSTED
   },
   isString,
-  inspect,
 } = require('@contrast/common');
 const { InstrumentationType: { RULE } } = require('../../../constants');
 
@@ -54,6 +53,7 @@ module.exports = function(core) {
     depHooks,
     patcher,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {

package/lib/dataflow/sinks/install/postgres.js

@@ -15,7 +15,6 @@
 
 'use strict';
 
-const util = require('util');
 const {
   DataflowTag: {
     CUSTOM_VALIDATED,
@@ -43,6 +42,7 @@ module.exports = function(core) {
     depHooks,
     patcher,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
@@ -60,8 +60,6 @@ module.exports = function(core) {
     CUSTOM_ENCODED,
   ];
 
-  const inspect = patcher.unwrap(util.inspect);
-
   const postgres = core.assess.dataflow.sinks.postgres = {};
 
   const preHook = (methodSignature) => (data) => {

package/lib/dataflow/sinks/install/sequelize.js

@@ -15,7 +15,6 @@
 
 'use strict';
 
-const util = require('util');
 const {
   Rule: { SQL_INJECTION: ruleId },
   DataflowTag: {
@@ -42,6 +41,7 @@ module.exports = function (core) {
     patcher,
     config,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {
@@ -59,7 +59,6 @@ module.exports = function (core) {
     CUSTOM_ENCODED
   ];
   const requiredTag = UNTRUSTED;
-  const inspect = patcher.unwrap(util.inspect);
 
   const sequelize = (core.assess.dataflow.sinks.sequelize = {});
 

package/lib/dataflow/sinks/install/vm.js

@@ -25,7 +25,6 @@ const {
     LIMITED_CHARS,
   },
   Rule: { UNSAFE_CODE_EXECUTION: ruleId },
-  inspect,
   isNonEmptyObject,
   isString,
   join,
@@ -56,6 +55,7 @@ module.exports = function (core) {
     depHooks,
     patcher,
     assess: {
+      inspect, // todo: remove
       getSourceContext,
       eventFactory: { createSinkEvent },
       dataflow: {

package/lib/dataflow/sources/install/body-parser1.js

@@ -16,6 +16,7 @@
 'use strict';
 
 const { InputType } = require('@contrast/common');
+const { InstrumentationType: { SOURCE } } = require('../../../constants');
 const { patchType } = require('../common');
 
 const METHODS = ['json', 'raw', 'text', 'urlencoded'];
@@ -27,12 +28,18 @@ const INPUT_TYPES = {
 };
 
 module.exports = function init(core) {
-  const { assess, depHooks, logger, patcher, scopes } = core;
+  const {
+    scopes,
+    assess: { dataflow, getSourceContext },
+    depHooks,
+    logger,
+    patcher,
+  } = core;
 
   const preHook = (data) => {
     const [req, , next] = data.args;
     data.args[2] = scopes.wrap(function contrastNext(...args) {
-      const sourceContext = scopes.sources.getStore()?.assess;
+      const sourceContext = getSourceContext(SOURCE);
 
       if (!sourceContext) {
         logger.error({ funcKey: data.funcKey }, 'unable to handle source. Missing `sourceContext`');
@@ -68,7 +75,7 @@ module.exports = function init(core) {
       }
 
       try {
-        assess.dataflow.sources.handle({
+        dataflow.sources.handle({
           context,
           data: _data,
           name: data.name,
@@ -89,7 +96,7 @@ module.exports = function init(core) {
     });
   };
 
-  assess.dataflow.sources.bodyParser1Instrumentation = {
+  core.assess.dataflow.sources.bodyParser1Instrumentation = {
     install() {
       depHooks.resolve(
         { name: 'body-parser', version: '>=1.0.0' },
@@ -127,5 +134,5 @@ module.exports = function init(core) {
     }
   };
 
-  return assess.dataflow.sources.bodyParser1Instrumentation;
+  return core.assess.dataflow.sources.bodyParser1Instrumentation;
 };

package/lib/dataflow/sources/install/cookie-parser1.js

@@ -16,10 +16,11 @@
 'use strict';
 
 const { InputType } = require('@contrast/common');
+const { InstrumentationType: { SOURCE } } = require('../../../constants');
 const { patchType } = require('../common');
 
 module.exports = function init(core) {
-  const { assess, depHooks, logger, patcher, scopes } = core;
+  const { assess, depHooks, logger, patcher } = core;
 
   assess.dataflow.sources.cookieParser1Instrumentation = {
     install() {
@@ -39,11 +40,11 @@ module.exports = function init(core) {
                   const { funcKey } = data;
                   const [req, , next] = data.args;
                   data.args[2] = function contrastNext(...args) {
-                    const sourceContext = scopes.sources.getStore()?.assess;
+                    const sourceContext = assess.getSourceContext(SOURCE);
 
                     if (!sourceContext) {
                       logger.error({ funcKey }, 'unable to handle source. Missing `sourceContext`');
-                      return;
+                      return next(...args);
                     }
 
                     if (sourceContext.parsedCookies) {

package/lib/dataflow/sources/install/qs6.js

@@ -15,17 +15,19 @@
 
 'use strict';
 
-const { InputType } = require('@contrast/common');
+const { InputType: { QUERYSTRING: inputType } } = require('@contrast/common');
 const { patchType } = require('../common');
-
-const inputType = InputType.QUERYSTRING;
+const { InstrumentationType: { SOURCE } } = require('../../../constants');
 
 module.exports = (core) => {
   const {
     depHooks,
     patcher,
     logger,
-    assess: { dataflow: { sources } },
+    assess: {
+      getSourceContext,
+      dataflow: { sources }
+    },
   } = core;
 
   // Patch `qs`
@@ -36,7 +38,7 @@ module.exports = (core) => {
         name,
         patchType,
         post({ args, hooked, orig, result, funcKey }) {
-          const sourceContext = core.scopes.sources.getStore()?.assess;
+          const sourceContext = getSourceContext(SOURCE);
 
           if (!sourceContext) {
             logger.error({ inputType, funcKey }, 'unable to handle source. Missing `sourceContext`');

package/lib/dataflow/sources/install/querystring.js

@@ -17,9 +17,15 @@
 
 const { InputType } = require('@contrast/common');
 const { patchType } = require('../common');
+const { InstrumentationType: { SOURCE } } = require('../../../constants');
 
 module.exports = (core) => {
-  const { depHooks, patcher, logger } = core;
+  const {
+    assess: { getSourceContext },
+    depHooks,
+    patcher,
+    logger,
+  } = core;
 
   core.assess.dataflow.sources.querystringInstrumentation = {
     install() {
@@ -29,7 +35,7 @@ module.exports = (core) => {
           name,
           patchType,
           post({ args, hooked, orig, result, funcKey }) {
-            const sourceContext = core.scopes.sources.getStore()?.assess;
+            const sourceContext = getSourceContext(SOURCE);
             const inputType = InputType.QUERYSTRING;
 
             if (!sourceContext) return;

package/lib/dataflow/tag-utils.js

@@ -14,6 +14,8 @@
  */
 'use strict';
 
+const { split } = require('@contrast/common');
+
 //
 // This module implements tag range manipulation functions. There are generally
 // two types of functions:
@@ -461,8 +463,7 @@ function createAdjustedQueryTags(path, tags, value, argString) {
       break;
     }
   }
-
-  return idx >= 0 ? createAppendTags([], tags, idx) : [...tags];
+  return idx >= 0 ? createAppendTags([], tags, idx) : { ...tags };
 }
 
 /**
@@ -484,8 +485,8 @@ function createAdjustedQueryTags(path, tags, value, argString) {
  * - "?test=str","%3Ftest%3Dstr",{"UNTRUSTED":[0,8]} => {"UNTRUSTED":[3,6,10,12]}
  */
 function createEscapeTagRanges(input, result, tags) {
-  const inputArr = input.split('');
-  const escapedArr = result.split('');
+  const inputArr = split(input, '');
+  const escapedArr = split(result, '');
   const overlap = inputArr.filter((x) => {
     if (escapedArr.includes(x)) {
       return x;
@@ -519,6 +520,21 @@ function createEscapeTagRanges(input, result, tags) {
   return ret;
 }
 
+/**
+ * In reporting args, object, and return values, often the exact value isn't important.
+ * For untracked values that appear in call contexts it can be enough to just try to
+ * report the type of the arg/obj/result.
+ *  Example: the call
+ *  http.request('http://tracked-url', { method: 'post' });
+ *  would have event context string limited to
+ *  http.request('http://tracked-url,Object);
+ *
+ * @param {any} origValue value of event result, object, or arg
+ * @returns {string} the adjusted value for reporting
+ */
+function getAdjustedUntrackedValue(origValue) {
+  return origValue?.constructor?.name ?? (origValue === null ? 'null' : typeof arg);
+}
 
 module.exports = {
   createSubsetTags,
@@ -528,5 +544,6 @@ module.exports = {
   createTagsWithExclusion,
   createAdjustedQueryTags,
   createOverlappingTags,
-  createEscapeTagRanges
+  createEscapeTagRanges,
+  getAdjustedUntrackedValue,
 };

package/lib/get-source-context.js

@@ -39,7 +39,7 @@ module.exports = function(core) {
     const ctx = sources.getStore()?.assess;
 
     // policy will not exist if assess is altogether disabled for the active request e.g. url exclusion
-    if (!ctx || !ctx?.policy || instrumentation.isLocked()) return null;
+    if (!ctx?.policy || instrumentation.isLocked()) return null;
 
     switch (type) {
       case InstrumentationType.PROPAGATOR: {
@@ -50,6 +50,7 @@ module.exports = function(core) {
         if (ctx.sourceEventsCount > config.assess.max_context_source_events) return null;
         break;
       }
+
       case InstrumentationType.RULE: {
         const [ruleId] = rest;
         if (!ruleId) break;